#### Human Readable Output
##### Report 413336 analysis results
| Category | Started | Completed | Duration | VmName | VmID | ReportID | Verdict |
| --- | --- | --- | --- | --- | --- | --- | --- |
| File | 2019-05-30 14:05:25 | 2019-05-30 14:06:33 | 68 | | | 413336 | Benign |
### threatstream-analysis-report
***
Returns the report of a file or URL that was submitted to the sandbox.
#### Base Command
`threatstream-analysis-report`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| report_id | Report ID to return. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| ThreatStream.Analysis.ReportID | String | The ID of the report submitted to the sandbox. |
| ThreatStream.Analysis.Category | String | The report category. |
| ThreatStream.Analysis.Started | String | Detonation start time. |
| ThreatStream.Analysis.Completed | String | Detonation completion time. |
| ThreatStream.Analysis.Duration | Number | Duration of the detonation \(in seconds\). |
| ThreatStream.Analysis.VmName | String | The name of the VM. |
| ThreatStream.Analysis.VmID | String | The ID of the VM. |
| ThreatStream.Analysis.Network.UdpSource | String | The source of UDP. |
| ThreatStream.Analysis.Network.UdpDestination | String | The destination of UDP. |
| ThreatStream.Analysis.Network.UdpPort | String | The port of the UDP. |
| ThreatStream.Analysis.Network.IcmpSource | String | The ICMP source. |
| ThreatStream.Analysis.Network.IcmpDestination | String | The destinaton of ICMP. |
| ThreatStream.Analysis.Network.IcmpPort | String | The port of the ICMP. |
| ThreatStream.Analysis.Network.TcpSource | String | The source of TCP. |
| ThreatStream.Analysis.Network.TcpDestination | String | The destination of TCP. |
| ThreatStream.Analysis.Network.TcpPort | String | The port of TCP. |
| ThreatStream.Analysis.Network.HttpSource | String | The source of HTTP. |
| ThreatStream.Analysis.Network.HttpDestinaton | String | The destination of HTTP. |
| ThreatStream.Analysis.Network.HttpPort | String | The port of HTTP. |
| ThreatStream.Analysis.Network.HttpsSource | String | The source of HTTPS. |
| ThreatStream.Analysis.Network.HttpsDestinaton | String | The destination of HTTPS. |
| ThreatStream.Analysis.Network.HttpsPort | String | The port of HTTPS. |
| ThreatStream.Analysis.Network.Hosts | String | The hosts of network analysis. |
| ThreatStream.Analysis.Verdict | String | The verdict of the sandbox detonation. |
#### Command Example
threatstream-get-analysis-status report_id=422662
#### Context Example
{
"ThreatStream": {
"Analysis": {
"Platform": "WINDOWS7",
"ReportID": "422662",
"Status": "processing",
"Verdict": "Benign"
}
}
}
#### Human Readable Output
##### The analysis status for id 422662
| Category | Started | Completed | Duration | VmName | VmID | ReportID | Verdict |
| --- | --- | --- | --- | --- | --- | --- | --- |
| File | 2019-05-30 14:05:25 | 2019-05-30 14:06:33 | 68 | | | 413336 | Benign |
### threatstream-get-indicators
***
Return filtered indicators from ThreatStream. If a query is defined, it overides all othe arguments that were passed to the command.
#### Base Command
`threatstream-get-indicators`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| query | Anomali Observable Search Filter Language query to filter indicatorts results. If a query is passed as an argument, it overides all other arguments. | Optional |
| asn | Autonomous System (AS) number associated with the indicator. | Optional |
| confidence | Level of certainty that an observable<br/>is of the reported indicator type. Confidence scores range from 0-100, in increasing order of confidence, and is assigned by ThreatStream based on several factors. | Optional |
| country | Country associated with the indicator. | Optional |
| created_ts | When the indicator was first seen on<br/>the ThreatStream cloud platform. Date must be specified in this format:<br/>YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time.<br/>For example, 2014-10-02T20:44:35. | Optional |
| id | Unique ID for the indicator. | Optional |
| is_public | Classification of the indicator. | Optional |
| indicator_severity | Severity assigned to the indicator by ThreatStream. | Optional |
| org | Registered owner (organization) of the IP address associated with the indicator. | Optional |
| status | Status assigned to the indicator. | Optional |
| tags_name | Tag assigned to the indicator. | Optional |
| type | Type of indicator. | Optional |
| indicator_value | Value of the indicator. | Optional |
| limit | Maximum number of results to return from ThreatStrem. Default is 20. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| ThreatStream.Indicators.IType | String | The indicator type. |
| ThreatStream.Indicators.Modified | String | Date and time when the indicator was last updated on the ThreatStream. Format: YYYYMMDDThhmmss, where T denotes the start of the value for time, in UTC time. |
| ThreatStream.Indicators.Confidence | String | Level of certainty that an observable is of the reported indicator type. |
| ThreatStream.Indicators.Value | String | The indicator value. |
| ThreatStream.Indicators.Status | String | The indicator status. |
| ThreatStream.Indicators.Organization | String | Registered owner \(organization\) of the IP address associated with the indicator. |
| ThreatStream.Indicators.Country | String | Country associated with the indicator. |
| ThreatStream.Indicators.Tags | String | Tag assigned to the indicator. |
| ThreatStream.Indicators.Source | String | The source of the indicator. |
| ThreatStream.Indicators.ID | String | The ID of the indicator. |
| ThreatStream.Indicators.ASN | String | Autonomous System \(AS\) number associated with the indicator. |
| ThreatStream.Indicators.Severity | String | The severity assigned to the indicator. |
#### Command Example
threatstream-get-indicators type=ip status=active asn=4837 country=CN confidence=84 indicator_severity=medium org="China Unicom Guangxi" limit=5
#### Context Example
{
"ThreatStream.Indicators": [
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-24T10:19:52.077Z",
"Value": "121.31.166.99",
"ID": 53042398831,
"Source": "Anomali Labs MHN",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": "port-1433,suricata,TCP",
"Country": "CN",
"Modified": "2019-06-24T09:51:04.804Z",
"Value": "121.31.166.99",
"ID": 53042253345,
"Source": "Anomali Labs MHN Tagged",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-24T06:08:12.585Z",
"Value": "182.88.27.168",
"ID": 53016547378,
"Source": "DShield Scanning IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": "AlienVault,OTX",
"Country": "CN",
"Modified": "2019-06-23T19:38:05.782Z",
"Value": "182.91.129.165",
"ID": 53038621037,
"Source": "Alien Vault OTX Malicious IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
},
{
"Status": "active",
"Confidence": 84,
"IType": "scan_ip",
"Severity": "medium",
"Tags": null,
"Country": "CN",
"Modified": "2019-06-23T17:52:51.165Z",
"Value": "182.91.129.207",
"ID": 52970998522,
"Source": "DShield Scanning IPs",
"Organization": "China Unicom Guangxi",
"Type": "ip",
"ASN": "4837"
}
]
}
#### Human Readable Output
##### The indicators results
| IType | Value | Confidence | ID | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| scan_ip | 121.31.166.99 | 84 | 53042398831 | Anomali Labs MHN | ip | active | | 2019-06-24T10:19:52.077Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 121.31.166.99 | 84 | 53042253345 | Anomali Labs MHN Tagged | ip | active | port-1433,suricata,TCP | 2019-06-24T09:51:04.804Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 182.88.27.168 | 84 | 53016547378 | DShield Scanning IPs | ip | active | | 2019-06-24T06:08:12.585Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 182.91.129.165 | 84 | 53038621037 | Alien Vault OTX Malicious IPs | ip | active | AlienVault,OTX | 2019-06-23T19:38:05.782Z | China Unicom Guangxi | 4837 | CN | medium |
| scan_ip | 182.91.129.207 | 84 | 52970998522 | DShield Scanning IPs | ip | active | | 2019-06-23T17:52:51.165Z | China Unicom Guangxi | 4837 | CN | medium |
### threatstream-add-tag-to-model
***
Add tags to intelligence for purposes of filtering for related entities.
#### Base Command
`threatstream-add-tag-to-model`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| model | The type of threat model entity on which to add the tag. Default is "intelligence" (indicator). | Optional |
| tags | A CSV list of tags applied to the specified threat model entities or observable. | Required |
| model_id | The ID of the model on which to add the tag. | Required |
#### Context Output
There is no context output for this command.
threatstream-add-tag-to-model model=intelligence model_id=51375607503 tags="suspicious,not valid"
#### Human Readable Output
Added successfully tags: ['suspicious', 'not valid'] to intelligence
with 51375607503
### threatstream-create-model
***
Creates a threat model with the specified parameters.
#### Base Command
`threatstream-create-model`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| model | The type of threat model to create. | Required |
| name | The name of the threat model to create. | Required |
| is_public | The scope of threat model visibility. | Optional |
| tlp | Traffic Light Protocol designation for the threat model. | Optional |
| tags | A CSV list of tags. | Optional |
| intelligence | A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. | Optional |
| description | The description of the threat model. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| ThreatStream.Model.ModelType | String | The type of the threat model. |
| ThreatStream.Model.ModelID | String | The ID of the threat model. |
| ThreatStream.Model.Indicators.Value | String | The value of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ID | String | The ID of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.IType | String | The iType of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Severity | String | The severity of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Confidence | String | The confidence of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Country | String | The courty of the indicator associated with the specified model |
| ThreatStream.Model.Indicators.Organization | String | The organization of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ASN | String | The ASN of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Status | String | The status of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Tags | String | The tags of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Modified | String | The date and time the indicator was last modified. |
| ThreatStream.Model.Indicators.Source | String | The source of the inidicator. |
| ThreatStream.Model.Indicators.Type | String | The type of the inidicator. |
#### Command Example
threatstream-create-model model=actor name="New_Created_Actor" description="Description of the actor threat model" intelligence=53042425466,53042425532,53042425520 tags="new actor,test" tlp=red
#### Context Example
{
"ThreatStream.Model": {
"Indicators": [
{
"Status": "active",
"Confidence": 86,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:51:16.384",
"Value": "chatbotshq.com",
"ID": "53042425532",
"Source": "Analyst",
"Organization": "Hostinger International Limited",
"Type": "domain",
"ASN": "12769"
},
{
"Status": "active",
"Confidence": 85,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:51:16.589",
"Value": "marketshq.com",
"ID": "53042425520",
"Source": "Analyst",
"Organization": "GoDaddy.com, LLC",
"Type": "domain",
"ASN": "26496"
},
{
"Status": "active",
"Confidence": 77,
"IType": "suspicious_domain",
"Severity": "high",
"Tags": "Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech",
"Country": "US",
"Modified": "2019-06-24T10:54:31.318",
"Value": "leanomalie.com",
"ID": "53042425466",
"Source": "Analyst",
"Organization": "GoDaddy.com, LLC",
"Type": "domain",
"ASN": "26496"
}
],
"ModelType": "Actor",
"ModelID": 26697
}
}
#### Human Readable Output
##### Indicators list for Threat Model Actor with id 26697
| IType | Value | ID | Confidence | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| suspicious_domain | chatbotshq.com | 53042425532 | 86 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:51:16.384 | Hostinger International Limited | 12769 | US | high |
| suspicious_domain | marketshq.com | 53042425520 | 85 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:51:16.589 | GoDaddy.com, LLC | 26496 | US | high |
| suspicious_domain | leanomalie.com | 53042425466 | 77 | Analyst | domain | active | Suspicious-Domain-Registration,TSLABS,victim-Hi-Tech | 2019-06-24T10:54:31.318 | GoDaddy.com, LLC | 26496 | US | high |
### threatstream-update-model
***
Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overides previous data stored in ThreatStream.
#### Base Command
`threatstream-update-model`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| model | The type of threat model to update. | Required |
| model_id | The ID of the threat model to update. | Required |
| name | The name of the threat model to update. | Optional |
| is_public | The scope of threat model visibility. | Optional |
| tlp | Traffic Light Protocol designation for the threat model. | Optional |
| tags | A CSV list of tags. | Optional |
| intelligence | A CSV list of indicators IDs associated with the threat model on the ThreatStream platform. | Optional |
| description | The description of the threat model. | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| ThreatStream.Model.ModelType | String | The type of the threat model. |
| ThreatStream.Model.ModelID | String | The ID of the threat model. |
| ThreatStream.Model.Indicators.Value | String | The value of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ID | String | The ID of indicator associated with the specified model. |
| ThreatStream.Model.Indicators.IType | String | The iType of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Severity | String | The severity of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Confidence | String | The confidence of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Country | String | The courty of the indicator associated with the specified model |
| ThreatStream.Model.Indicators.Organization | String | The organization of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.ASN | String | The ASN of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Status | String | The status of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Tags | String | The tags of the indicator associated with the specified model. |
| ThreatStream.Model.Indicators.Modified | String | The date and time the indicator was last modified. |
| ThreatStream.Model.Indicators.Source | String | The source of the inidicator. |
| ThreatStream.Model.Indicators.Type | String | The type of the inidicator. |
#### Command Example
threatstream-update-model model=actor model_id=26697 intelligence=53042694591 tags="updated tag,gone"
#### Context Example
{
"ThreatStream": {
"Model": {
"Indicators": [
{
"ASN": "",
"Confidence": 36,
"Country": "CA",
"ID": "53042694591",
"IType": "exploit_ip",
"Modified": "2019-06-24T11:28:31.185",
"Organization": "OVH Hosting",
"Severity": "high",
"Source": "Analyst",
"Status": "active",
"Tags": "HoneyDB",
"Type": "ip",
"Value": "54.39.20.14"
}
],
"ModelID": "26697",
"ModelType": "Actor"
}
}
}
#### Human Readable Output
##### Indicators list for Threat Model Actor with id 26697
| IType | Value | ID | Confidence | Source | Type | Status | Tags | Modified | Organization | ASN | Country | Severity |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| exploit_ip | 54.39.20.14 | 53042694591 | 36 | Analyst | ip | active | HoneyDB | 2019-06-24T11:28:31.185 | OVH Hosting | | CA | high |
### threatstream-supported-platforms
***
Returns list of supported platforms for default or premium sandbox.
#### Base Command
`threatstream-supported-platforms`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| sandbox_type | The type of sandbox ("default" or "premium"). | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| ThreatStream.PremiumPlatforms.Name | String | Name of the supported platform for premium sadnbox. |
| ThreatStream.PremiumPlatforms.Types | String | Type of supported submissions for premium sanbox. |
| ThreatStream.PremiumPlatforms.Label | String | The display name of the supported platform of premium sandbox. |
| ThreatStream.DefaultPlatforms.Name | String | Name of the supported platform for standard sadnbox. |
| ThreatStream.DefaultPlatforms.Types | String | Type of supported submissions for standard sanbox. |
| ThreatStream.DefaultPlatforms.Label | String | The display name of the supported platform of standard sandbox. |
#### Command Example
threatstream-supported-platforms sandbox_type=default
#### Context Example
{
"ThreatStream.DefaultPlatforms": [
{
"Name": "WINDOWSXP",
"Types": [
"file",
"url"
],
"Label": "Windows XP"
},
{
"Name": "WINDOWS7",
"Types": [
"file",
"url"
],
"Label": "Windows 7"
},
{
"Name": "ALL",
"Types": [
"file",
"url"
],
"Label": "All"
}
]
}
#### Human Readable Output
##### Supported platforms for default sandbox
| Name | Types | Label |
| --- | --- | --- |
| WINDOWSXP | file, url | Windows XP |
| WINDOWS7 | file, url | Windows 7 |
| ALL | file, url | All |
### url
***
Checks the reputation of the given URL.
#### Base Command
`url`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| url | The URL to check. | Required |
| threshold | If severity is greater than or equal to the threshold, then the URL will be considered malicious. This argument will override the default threshold defined as a parameter. | Optional |
| include_inactive | Whether to include results with the status "Inactive". Default is "False". | Optional |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| DBotScore.Indicator | String | The indicator that was tested. |
| DBotScore.Type | String | The indicator type. |
| DBotScore.Vendor | String | The vendor used to calculate the score. |
| DBotScore.Score | Number | The actual score. |
| URL.Data | String | The URL of the indicator. |
| URL.Tags | Unknown | (List) Tags of the URL. |
| URL.Malicious.Vendor | String | Vendor that reported the indicator as malicious. |
| ThreatStream.URL.Modified | String | Date and time when the indicator was last updated. The date format is: YYYYMMDDThhmmss, where "T" denotes the start of the value for time, in UTC time. |
| ThreatStream.URL.Confidence | String | Level of certainty that an observable is of the reported indicator type. Confidence score can range from 0-100, in increasing order of confidence. |
| ThreatStream.URL.Status | String | The status of the indicator. |
| ThreatStream.URL.Organization | String | Name of the business that owns the IP address associated with the indicator. |
| ThreatStream.URL.Address | String | URL of the indicator. |
| ThreatStream.URL.Country | String | Country associated with the indicator. |
| ThreatStream.URL.Type | String | The indicator type. |
| ThreatStream.URL.Source | String | The source of the indicator. |
| ThreatStream.URL.Severity | String | The indicator severity \("very-high", "high", "medium", or "low"\). |
| ThreatStream.URL.Tags | Unknown | Tags assigned to the URL. |
#### Command Example
url url=http://194.147.35.172/mikey.mpsl using-brand="Anomali ThreatStream v2"
#### Context Example
{
"URL": {
"Malicious": {
"Vendor": "ThreatStream"
},
"Data": "http://194.147.35.172/mikey.mpsl",
"Tags": ["phish-target", "victim-hi-tech"]
},
"ThreatStream.URL": {
"Status": "active",
"Confidence": 90,
"Severity": "very-high",
"Country": "RU",
"Modified": "2019-06-24T10:10:05.890Z",
"Source": "H3X Tracker",
"Address": "http://194.147.35.172/mikey.mpsl",
"Organization": "LLC Baxet",
"Type": "url",
"Tags": [{"id": "4wq", "name": "phish-target", "org_id": "88"}, {"id": "ezn", "name": "victim-hi-tech", "org_id": "88"}]
},
"DBotScore": {
"Vendor": "H3X Tracker",
"Indicator": "http://194.147.35.172/mikey.mpsl",
"Score": 3,
"Type": "url"
}
}
#### Human Readable Output
##### URL reputation for:Â `http://194.147.35.172/mikey.mpsl`
| Address | Confidence | Source | Type | Status | Modified | Organization | Country | Severity |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `http://194.147.35.172/mikey.mpsl` | 90 | H3X Tracker | url | active | 2019-06-24T10:10:05.890Z | LLC Baxet | RU | very-high |